Spy law changes allow broader data mining

On Wednesday, President Joe Biden signed a bill reauthorizing one of the intelligence community’s most powerful spy tools for protecting national security. The Foreign Intelligence Surveillance Act (FISA) sets the parameters of how the United States uses surveillance to detect threats to the country.

Penalties for 702 violations
FISA Section 702 allows for the collection of private communications of foreign targets outside of the United States without a warrant. But recent reports have shown that the FBI has turned to the tool on Americans, spying on journalists, political groups, and in one case a romantic interest. To dissuade such abuses from reoccurring, last week’s bill heightened the penalties for misuse of the power.

Unauthorized disclosure of a FISA application or its contents is now a criminal offense punishable by up to 10 years in prison. Any civil damages resulting from such a disclosure are remediable by up to $10,000 per violation per day.

Restrictions on the FBI

As the domestic-facing portion of the intelligence community with jurisdiction over national security threats inside of the United States, many of the FISA reforms specifically apply only to the FBI. In cases where there’s a threat to national security, FISA’s parameters allow the bureau to investigate U.S. communications with the use of a court order. Under the revisions to the law, FBI personnel must now obtain approval from a senior official or a legal adviser to submit a FISA query except in cases in which there is a “threat to life or serious bodily harm.” If the search may involve the personal information of an elected official, that bar goes even higher, requiring approval from the deputy director of the FBI.

The update also carries new oversight measures. For every query the FBI conducts on an American, the Department of Justice will conduct an accompanying review within 180 days. The agency must also have a written reason for having conducted the query on any U.S. person (a citizen, resident, or person within the country), and the FBI must report those searches to Congress annually. More broadly, the inspector general will perform an audit on the FBI 1½ years after the enactment of the legislation.

Additionally, the bill tightens the loop on permissible searches for the bureau; the FBI is explicitly forbidden from using Section 702 authority to investigate anything but a national security risk, ruling out queries used to find evidence of a different crime.

Because agencies like the CIA monitor foreign threats—in which cases the use of warrantless surveillance is lawful under FISA—these requirements will not apply to them.

What’s a “service provider?”

Of the many changes Congress passed last week, the most controversial might be the expansion of the definition of a “service provider.” Per the original FISA text, the intelligence community may collect “foreign intelligence information from or with the assistance of an electronic communication service provider.” At the time, that meant companies like Verizon, Comcast, or ECI Telecom that house and transmit user data. The updated definition includes any entity with “access to equipment that is being or may be used to transmit or store wire or electronic communications.” The law lays out examples such as a public accommodation facility, a dwelling, a community facility, a food service establishment, and more.

The changes have alarmed privacy advocates like Elizabeth Goitein, senior director of liberty and national security at the Brennan Center for Justice. Goitein helped legislators in the House of Representatives craft reform language for FISA. As the bill made its way through the Senate, Goitein took to X, the site formerly known as Twitter, to protest the change.

“[The bill] contains a terrifying provision that will force U.S. businesses to serve as spies,” Goitein wrote.

White House national security adviser Jake Sullivan issued a statement pushing back on that characterization, arguing that the change would eliminate legally murky areas in the application of FISA’s power.

“This amendment is a technical fix designed to account for changing technological realities—the definition of ‘electronic service providers’ adopted when section 702 was first enacted in 2008 does not account for the technologies of 2024,” Sullivan said.

Two years instead of five

FISA’s most recent authorization lasted for five years. Conservatives in the House of Representatives pressed to bring that timeline down to just two, setting up another clash over the spy tool in 2026.

FISA skeptics view the timeline change as a safety measure in case the modified restrictions don’t prevent abuse. Rep. Thomas Massie, R-Ky., didn’t think the package went far enough to protect American privacy rights. While he ultimately voted against the bill, Massie supported the change to the authorization’s lifespan.

“The two-year provision—generally I think shorter renewals are better,” Massie said. “But what it does is that this will come up for renewal under a president who has already renewed FISA once,” Massie said, noting that former President Donald Trump signed a reauthorization of the program in

2018.

Regardless of who wins the 2024 presidential election, the president will have already had a hand in forming FISA’s powers when it comes up for consideration again in 2026.